Home > Risk > Are you hungry for a better approach to risk appetite?

Are you hungry for a better approach to risk appetite?

Recently, Chris Burt of Halex Consulting sent me a copy of a paper he had written, Feeling hungry? A simpler, more intelligent approach to risk appetite.

There’s a great deal to like in his approach:

  • Your organisation is clear on its purpose and values, has a clearly-defined corporate strategy and has even set SMART strategic objectives for the executive. But how much risk should the organisation take in trying to achieve its objectives and deliver its strategy?
  • Unfortunately, the generally accepted approach is to develop a board-level risk appetite statement. Such statements tend to be theoretical, static documents that jump through the hoops of addressing how much – or how little – of key types of risk the organisation is willing to accept or avoid.
  • What about Board decision-making? Ideally, it should be informed by risk appetite. But how many boards consult their own risk appetite statement when considering major decisions, including changes to strategy? The answer is, unsurprisingly, very few. And the reason: board-level risk appetite statements tend to be difficult to understand and impractical to use in real-world decision-making situations.
  • The key weakness of the current approach to risk appetite (including risk appetite frameworks derived from the Board’s risk appetite statement) is that it places undue emphasis on risks, rather than focusing on outcomes in decision-making.
  • What this approach fails to recognise is that successfully achieving an objective relies not just on preventing bad things from happening (mitigating risks), but also on making good things happen. That is, taking active steps to deliver the objective. Current approaches to risk management tend to gloss over the importance of this activity, paying lip-service to exploiting ‘opportunities’ while focusing on lists of risks.
  • The Board should clearly prioritise and set targets for certainty of achievement for each primary objective across a range of categories – such as strategic, operational, financial, compliance, CSR/ESG and viability. Those objectives most critical to the organisation – and thus requiring a very high certainty of achievement – should receive more Board attention and management resources than less important objectives.
  • Current risk management thinking requiring definition of a risk appetite is flawed and unhelpful. A better approach is to focus on the certainty of achievement of objectives.

All of the above is, IMHO, 100% correct. It is very much in line with a new book I am finalizing that will be published (hopefully) before the end of the year. The working title is Risk Management for Success and talks about how organizations can change from using risk management to understand potential harms to using it to increase the likelihood of achieving objectives, i.e., success.

Unfortunately, I think Chris has not taken the argument to the next logical step. He stumbles instead.

He suggests that:

The organisation’s aim should be to increase the certainty of achieving its objectives through minimising residual risks to the point of residual risk/cost of control equilibrium and taking active steps to deliver the objective – i.e. ‘making good things happen’

While the cost of control is certainly something to consider, there are times (many, many times) when more risk should be taken because of the potential for increased reward. For example, organizations will introduce a new product to the market to drive new revenue even though they know that it is not 100%  perfect. Waiting until it is perfect (which may never be achieved with certainty) may mean losing the opportunity. It is worth taking the risk.

Yes, organizations should seek to have an acceptable likelihood of achieving their objectives. That requires making informed and intelligent decisions and taking the right risks.

A better approach to risk appetite? Do what you need to comply with regulations and then run the organization for success.

I welcome your thoughts.

  1. October 1, 2020 at 5:29 PM


    Why use this cumbersome term based on a nonsense word anyway?

    Apart from the fact that some regulators, goaded by consultants insist on a piece of paper with this term as its title.

    Of course, no respecting Board would think to look as such rubbish when they prepare for a decision. They think about the opportunity being presented, how it aligns with their organisation’s purpose, the context for decision and the assumptions involved. Then, when they are satisfied they understand all that, they might adjust the decision until they are sufficiently certain it will lead to the outcomes they desire.


    No complicated language, no artificial concepts based on terms that no one can agree on. Just the way that all humans make decisions.

    ‘Risk appetite’ is just another artefact of the ‘risk management’ belief system and is one of the more obvious examples of a concept, simply made up by consultants to help them make even more money out of the gullible. There is no science in it and no one I’ve met can actually show how any value is created from the typically $50,000+ of fees or effort taken to produce a ‘risk appetite statement’. It’s just another con and people who spend that sort of money on something so useless are fools.

    • Dragica G.
      October 2, 2020 at 4:57 AM

      What you say is not outlandish, but let’s face it, boards and senior management need boundaries. This is what I tell my clients in terms of their risk appetite/tolerance. In the industry I work with, they are hard pressed to recognize boundaries at times because they are always so smart, until something goes very badly wrong.
      I do agree so much time can be wasted if the use of the terms is not clearly understood, and at the same time, certain parameters should be respected. Since in most sectors, especially financial services, it’s all about the financial impact, having to define how much a company is willing to lose and on what, makes sense. That’s what the conversation should be about, not some arbitrary risk appetite and tolerance.

      • October 2, 2020 at 4:45 PM


        I currently sit on four boards, two of which I chair. I’ve sat on others in the past and attending many other board meetings. I can’t ever recall any board meeting making or confirming a decision using any piece of paper with the word ‘risk’ as its title. In fact, in every organisation I’ve dealt over quite a few years (and there have been many) I’ve yet to find one where a ‘risk appetite statement’ has been used for anything other than as a very expensive drawer liner.

        Only yesterday I chaired the Finance and Investment Committee of a Board I sit on. The organisation faces a very difficult decision concerning an event scheduled for January next year that normally becomes its ‘cash cow’ for the following year. However, with COVID restrictions and many other complex and related factors, it is clear that, at best, only a significantly reduced event could possible go ahead and even that might have to be cancelled at short notice.

        I can’t go into any more detail than that, but I can say that the decision involved many, many factors of which only a few related to $.

        As is typical, the organisation’s leadership had prepared a briefing paper for the Committee that set out the opportunity, the context and the assumptions with the associated uncertainties. The Committee considered all that and reflected on potential options (tentative decisions) and tested out its understanding by questioning the CEO.

        As Chair I then asked the Committee two questions:
        1) Are we sufficiently certain we will achieve the outcomes we desire from this event from any of the options we considered? And the unanimous response to this simple question was “no”.
        2) Will the outcomes from any of the options help us achieve our purpose (which includes the word “excellence”)? And the unanimous response to this was also “no”.

        It was therefore clear the advice the Committee should give its Board – which I am glad to say it has accepted.

        I mention all this as an example of how real decisions are made in the real world, in this case, at Board level. No one uses or could use simple criteria related to some financial metric or the nebulous and artificial virtue signals normally found in so called ‘risk appetite statements’.

        Sure, organisations should and always will use operational criteria as part of monitoring processes to ensure that decision outcomes are as desired and that the context has not changed sufficient to invalidate previous decisions. These will include thing like ‘stop loss’ financial criteria. However, this is a monitoring activity and not part of making decision. As we explain in our book, setting up these monitoring processes should be part of making the original decision.

  2. October 1, 2020 at 5:38 PM

    Sadly Norman, yet another post and yet another author (Chris Burt) demonstrating the eternal problems as well as the irrelevance of ‘risk management’ (whatever that means) and all of its silly confected expressions (think ‘risk appetite’) without reaching the obvious and inevitable conclusion. It’s not needed!
    As Grant Purdy and I explain in our book “DECIDING”, sound decisions are made by skillful application of the universal decision making method (which everyone uses – albeit often without being aware of doing so) and by NOT confusing and undermining decision-making with the hopelessly muddled and totally unnecessary complications of ‘risk management’.
    As we explain in Appendix C of our book, ridding oneself of this scourge is quite straight forward. Or, as John Lennon might have said …..
    “Imagine there’s no risk management ……It’s easy if you try!” And the rewards are huge!

    • Dragica G.
      October 2, 2020 at 5:01 AM

      Take a look around you and ask yourself how many decisions are actually wrapped in ‘certainty’ . . . Not one. If there is no choice about what to do, there is no decision, and not every action/decision has a certain outcome. Get with it! We need risk management now more than ever. We are in such uncertain times, that we just don’t know what is next, but we cannot sit still. We need to decide and any action in any direction has an uncertain outcome. That’s taking a risk . . . Without risk and being prepared for the uncertain outcome is the simplicity of what we are dealing with. Come on Roger, you gotta see that!!

      • October 2, 2020 at 12:41 PM

        Actually Dragica, I don’t “gotta” see what you say at all ….. particularly when you misrepresent what I have said. I did not say decisions are ‘wrapped in certainty’ nor did I say that ‘every decision has a certain outcome’. You just made those things up, I’m afraid.
        Can I suggest that you read our book “Deciding” and you will see what I and my co-author have actually said (which is roughly the opposite of what you assert we have said). You say ‘We need to decide…’. Well, er yes, we do! Rational decision-makers therefore need to understand the sources of uncertainty and adjust their decision in order to provide sufficient certainty. As a matter of fact, everyone does this in their decision making, but not always as well as they might. The challenge of gaining sufficient certainty is not helped through the use of spurious language or introducing gimmicks such as ‘risk appetite statements’.

        • Norman Marks
          October 2, 2020 at 12:51 PM

          I don’t think you ever have “sufficient certainty”, which is why I have not adopted that expression. However, you can be reasonably confident and you can strive for what you believe is an acceptable likelihood of achieving objectives – and I have read your book.

          • October 2, 2020 at 1:14 PM

            Surely, Norman, it is axiomatic that if in the process of making a decision (the result of which when implemented, will be an outcome) you have reached the point as Decider of finalising the decision and proceeding, you do so because for you as Decider, those outcomes (both those you are seeking and those you wish to avoid) are sufficiently certain.
            It doesn’t really matter whether you have reached that point through being ‘reasonably confident’ or because you ‘believe’ something or other. If the outcomes were not sufficiently certain FOR YOU, you would do some more work to adjust or replace the tentative decision to reduce uncertainty and the significance of the assumptions on which the decision is based, and thereby gain more certainty until you had sufficient certainty. (‘Sufficient certainty’ is not an ‘expression’ as you suggest, but just two words with their ordinary meanings!)

            • Norman Marks
              October 2, 2020 at 1:23 PM

              No, Roger. It is not at all “axiomatic” that the outcomes are sufficiently certain. Uncertainty remains.

              I find it interesting that you quibble over the use of the phrase risk management but have sufficient certainty that everybody understands sufficient certainty.

              Here’s the issue: people believe they need risk management and it is required by some governance codes and regulators.

              I agree that, as practiced in the great majority of organizations, it is ineffective.

              So there are three choices:
              1. Carry on and expect different results
              2. Trash the term and throw everything out
              3. Explain how it can be transformed from managing risk to managing for success

              I choose door #3. I hope this approach will get them to at least sit down and listen.

              Ask Grant for a copy of the draft of my new book. I think you will not only be surprised but once you set aside your bias against the phrase will agree with what I have written.

              • Norman Marks
                October 2, 2020 at 5:04 PM

                Thank you for your input, Grant. It’s a pity you didn’t set aside your bias and actually read and consider it.

            • Norman Marks
              October 2, 2020 at 1:24 PM

              By the way, I have recommended your book and quoted from it in places in mine.

              • October 2, 2020 at 2:06 PM

                Thanks for the recommendation to read our book Norman. Much appreciated. Interestingly, several readers have written to us to tell us, as one put it, ‘this blessedly slim’ book had provided a ‘light bulb’ moment enabling them to finally rid themselves of the millstone of ‘risk management’.
                Concerning the first para of your previous post, being sufficiently certain about something does not mean there is no residual uncertainty. Indeed, if that were so, there would be no need for the adverb ‘sufficiently’. As to the three options you mention for dealing with the mess into which ‘RM’ has degenerated, option 1 would just perpetrate the mess with no beneficial outcome, option 2 not only rids the organisation of the mess but also clears the way for rational decision making, free of the ‘RM’ distraction. As for option 3, renaming a mess doesn’t solve anything.
                As to this last point, I have watched your many thoughtful posts with interest and note that you often state (or agree with others) that the R word is fraught and hopeless and yet you inevitably find yourself having to continue to use it. In writing our book, Grant and I found that by adopting the practice of never using the word (which, given our backgrounds, was at first, a bit unnatural) we were forced to think in first principles and it was that discipline which provided the ‘light bulb’ realisation that our readers have reported: R and RM are entirely superfluous to making sound decisions! But also an encumbrance!

                • Norman Marks
                  October 2, 2020 at 2:17 PM

                  Roger, you are correct and I have written a book for executives that explicitly explains not only that the r word inhibits performance, but plain English can be used without a problem.

                  I am trying to move people from traditional risk management to success management. They won’t do that if they don’t pick up the book.

                  I am pleased that your book is having an impact.

    October 1, 2020 at 9:16 PM

    Would an ERM function be more useful if it acted primarily as an internal assurance & advisory service over the entity’s Monitoring and Information processes & controls? Essentially, helping develop & support the Decision Support Systems that the senior leaders rely on as inputs to the strategic processes?

    • October 1, 2020 at 10:03 PM


      It would be even more useful if it dropped silly acronyms like ERM and nonsense words like ‘controls’.

      Maybe if the people in the function spoke normal English (or their native tongue) and actually helped their organisation make better decisions they would have more credibility with decision makers and would feel that they are actually helping the organisation achieve its purpose.

      This may not seem as outlandish as you might think. I’ve spoken to many people with the ‘r’ word in their title recently and all lack a degree of self worth because of the label over their door. I’ve also recently spoken to a professional association with the ‘r’ word in its name and it is struggling to re-brand or something now the board have started singing the John Lennon song Roger mentions above.

      The biggest obstacle to many in the ‘profession’ is that if they admit what we are discussing here, they have no job. Sort of like the Emperor’s New Clothes!!

  4. steve fowler
    October 2, 2020 at 12:42 AM

    I wholeheartedly agree with Chris’ approach.
    In some quarters, the whole notion of risk management (or as it’s now called enterprise risk managemen) …..)been devalued and replaced with that shiny new term ‘resilience’. That in due course will prove to be equally jargonised and replaced by something else.
    Now as for ‘risk appetite’ – before we get in to the many conflicting and different definitions of that term, and of risk tolerance, risk capacityand everything else, don’t we just mean how far we’re willing to go when we make a decision? What are we willing to lose against the possibility of a gain? If it looks like a duck, and walks like a duck, we don’t call it an avian perambulatory creature.

    • Dragica G.
      October 2, 2020 at 5:03 AM

      Agree . . . If only people would understand that ‘resilience’ is an outcome of good risk management, not a ‘thing’ on its own. I agree, risk tolerance/appetite is merely a boundary, the parameters of where we are willing to venture. Let’s make it simpler, not harder.

  5. October 2, 2020 at 3:20 AM

    Grant & Chris. You are right – if leaders automatically and systematically took uncertainties into due account when making decisions, there would be no need for risk management. Just as, if everyone behaved nicely, prudently and empathetically – there would be no need for police forces.

    As I am sure you both recognize, the real world is not like that. Decisions – even big complex decisions – are taken based on political discussions and power-games in a biased board/executive team – unhampered by facts and known uncertainties. The leaders then ask some poor guy to “make it happen” and fire him/her, if he/she does not succeed – irrespectively of how “silly” the targets were.

    The fact that the two of you have written a book on how it should be doesn’t make it so. Therefore, in this world, the next step (from “gut feeling” decisions) is to provide tools and methodology to embed uncertainty thinking into decision making and implementation planning, i.e. is risk management.

    There may not be a need for a “risk appetite” statement – but when discussions on decisions are made, those making the call should ask for, and get, valid insight as to the likelihood of the decision being successful. You don’t need a risk appetite statement – but ask case by case – “are you OK with this”.

    • October 2, 2020 at 12:54 PM

      Actually Hans, we have not written a book about ‘how it should be’. You will see if you care to read “Deciding” that we have written a book about ‘how it is’ in which we describe how all decisions are made and how, by being more aware of that and becoming even better at its steps, Deciders can make even better decisions by being sufficiently certain about the outcomes that will actually result. And not only can they do so without using a word that has many, but no shared, meanings, but are BETTER able to do so because they don’t use the R word and all the invented gibberish that goes with it.

  6. Dragica G.
    October 2, 2020 at 4:48 AM

    Good day, Norman,
    I have been following your work for some time. I welcome your new book.
    I wrote a short ebook a number of years ago called ‘ERM for Next Level Performance’ – it was along the same lines but speaks more to our ‘Risk Delta System for ERM’ which is still in use today. That was started in 2005 and it was released in 2008, now being edited for 3rd edition. I could not agree more with your approach – good ERM practices are recognized as repeatable, sustainable and demonstrable – which require discipline and structure. To many it is hard work . . . Indeed it is . . . Anything that is really worth it, is work.
    I wish you every success with your work and look forward to your book.
    Dragica Grbavac

    • Norman Marks
      October 2, 2020 at 7:00 AM

      Thank you

  7. Anonymous
    October 2, 2020 at 1:06 PM

    Norman, I agree with your exception to Chris’ approach. Given a corporate risk appetite statement, it may sub-optimize overall outcomes if an organization is “minimising residual risks to the point of residual risk/cost of control equilibrium”. Time and staff are limited resources that can be applied to other objectives important to the organization. Once an objective’s risks are mitigated below management’s level of concern, refocusing resources may be in the best interests of the organization’s other objectives. Thanks for the post.

    • Grant Purdy
      October 2, 2020 at 5:04 PM

      I’m sorry ‘Anonymous’, but your response is a perfect example of why real people who make real decisions never use anything that ‘risk management professionals’ produce.

      I’ve been in the RM business for 42 years now and I can’t understand what you are saying!

  1. January 4, 2021 at 10:49 AM

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.

%d bloggers like this: